diff --git a/Cat_1/RHEL-07-010290.yml b/Cat_1/RHEL-07-010290.yml index 307ec5a..a9c7fd8 100644 --- a/Cat_1/RHEL-07-010290.yml +++ b/Cat_1/RHEL-07-010290.yml @@ -1,10 +1,10 @@ {{ if .Vars.RHEL_07_010290 }} command: - check_nullok: + check_nullok_pam: title: RHEL_07_010290 | The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords. exec: "grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth" exit-status: 1 - stdout: + stdout: - '!/./' meta: Cat: 1 diff --git a/Cat_1/RHEL-07-010291.yml b/Cat_1/RHEL-07-010291.yml index 307553b..93a9bcc 100644 --- a/Cat_1/RHEL-07-010291.yml +++ b/Cat_1/RHEL-07-010291.yml @@ -1,10 +1,10 @@ {{ if .Vars.RHEL_07_010291 }} command: - check_nullok: + check_nullok_shadow: title: RHEL_07_010291 | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. exec: "awk -F: '!$2 {print $1}' /etc/shadow" exit-status: 0 - stdout: + stdout: - '!/./' meta: Cat: 1 diff --git a/Cat_1/RHEL-07-010440.yml b/Cat_1/RHEL-07-010440.yml index 473e7c1..dcbdf8d 100644 --- a/Cat_1/RHEL-07-010440.yml +++ b/Cat_1/RHEL-07-010440.yml @@ -4,7 +4,7 @@ file: /etc/gdm/custom.conf: title: RHEL_07_010440 | Must not allow an unattended or automatic logon to the system via a graphical user interface. exists: true - contains: + contents: - '/^[aA]uto[mM]atic[lL]ogin[eE]nable=false/' - '!/^[aA]uto[mM]atic[lL]ogin[eE]nable=true/' meta: diff --git a/Cat_1/RHEL-07-010450.yml b/Cat_1/RHEL-07-010450.yml index ca42be7..c150aa3 100644 --- a/Cat_1/RHEL-07-010450.yml +++ b/Cat_1/RHEL-07-010450.yml @@ -4,7 +4,7 @@ file: /etc/gdm/custom.conf: title: RHEL-07-010450 | Must not allow an unrestricted logon to the system. exists: true - contains: + contents: - '/^[[tT]imed[lL]ogin[eE]nable=false' - '!/^[[tT]imed[lL]ogin[eE]nable=true' meta: diff --git a/Cat_1/RHEL-07-010482.yml b/Cat_1/RHEL-07-010482.yml index 83ae2dd..f5ad47a 100644 --- a/Cat_1/RHEL-07-010482.yml +++ b/Cat_1/RHEL-07-010482.yml @@ -5,7 +5,7 @@ file: /boot/grub2/user.cfg: title: RHEL-07-010482 | Require authentication upon booting into single-user and maintenance modes. | BIOS | (>=RHEL7.3) exists: true - contains: + contents: - '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.*/' meta: Cat: 1 diff --git a/Cat_1/RHEL-07-010490.yml b/Cat_1/RHEL-07-010490.yml index 3f84c4c..96a1283 100644 --- a/Cat_1/RHEL-07-010490.yml +++ b/Cat_1/RHEL-07-010490.yml @@ -1,11 +1,11 @@ -{{ if .Vars.rhel7stig_legacyOS }} +{{ if .Vars.rhel7stig_legacyOS }} {{ if not .Vars.rhel7stig_legacy_boot }} file: /boot/efi/EFI/redhat/grub.cfg: {{ if .Vars.RHEL_07_010490 }} title: RHEL-07-010490 | Require authentication upon booting into single-user and maintenance modes. | UEFI | (<= RHEL7.1) exists: true - contains: + contents: - '/^password_pbkdf2\sroot\s.*/' meta: Cat: 1 diff --git a/Cat_1/RHEL-07-010491.yml b/Cat_1/RHEL-07-010491.yml index 37bcd7f..507b74d 100644 --- a/Cat_1/RHEL-07-010491.yml +++ b/Cat_1/RHEL-07-010491.yml @@ -1,11 +1,11 @@ -{{ if not .Vars.rhel7stig_legacyOS }} +{{ if not .Vars.rhel7stig_legacyOS }} {{ if not .Vars.rhel7stig_legacy_boot }} {{ if .Vars.RHEL_07_010491 }} file: /boot/efi/EFI/redhat/user.cfg: title: RHEL-07-010491 | Require authentication upon booting into single-user and maintenance modes. | UEFI | user.cfg | (>=RHEL7.3) exists: true - contains: + contents: - '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.*/' meta: Cat: 1 diff --git a/Cat_1/RHEL-07-020230.yml b/Cat_1/RHEL-07-020230.yml index 9eafdc8..00750af 100644 --- a/Cat_1/RHEL-07-020230.yml +++ b/Cat_1/RHEL-07-020230.yml @@ -8,7 +8,7 @@ service: Cat: 1 CCI: CCI-000366 Group_Title: SRG-OS-000480-GPOS-00227 - Rule_ID: SV-204455r833106_rule + Rule_ID: SV-204455r928574_rule STIG_ID: RHEL-07-020230 Vul_ID: V-204455 file: diff --git a/Cat_1/RHEL-07-020231.yml b/Cat_1/RHEL-07-020231.yml index bb173a1..3f301af 100644 --- a/Cat_1/RHEL-07-020231.yml +++ b/Cat_1/RHEL-07-020231.yml @@ -4,7 +4,7 @@ file: /etc/dconf/db/local.d/00-disable-CAD: title: RHEL_07_020231 | Must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface. exists: true - contains: + contents: - '/[org/gnome/settings-daemon/plugins/media-keys]/' - '^logout="' meta: diff --git a/Cat_1/RHEL-07-020250.yml b/Cat_1/RHEL-07-020250.yml index 538715d..aaac568 100644 --- a/Cat_1/RHEL-07-020250.yml +++ b/Cat_1/RHEL-07-020250.yml @@ -4,7 +4,7 @@ file: /etc/redhat-release: title: RHEL_07_020250 | The Red Hat Enterprise Linux operating system must be a vendor supported release. | Not EUS exists: true - contains: + contents: - '/^Red Hat Enterprise Linux Server release 7.\b([9]|1[0-2])\b/' meta: Cat: 1 diff --git a/Cat_1/RHEL-07-040800.yml b/Cat_1/RHEL-07-040800.yml index 59970db..1334db2 100644 --- a/Cat_1/RHEL-07-040800.yml +++ b/Cat_1/RHEL-07-040800.yml @@ -3,7 +3,7 @@ file: /etc/snmp/snmpd.conf: title: RHEL_07_040800 | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default. exists: true - contains: + contents: - '!/^%\ssnmp.*public.*$/' - '!/^%\ssnmp.*private.*$/' meta: diff --git a/Cat_2/RHEL-07-010050.yml b/Cat_2/RHEL-07-010050.yml index 62bb029..a7f15c1 100644 --- a/Cat_2/RHEL-07-010050.yml +++ b/Cat_2/RHEL-07-010050.yml @@ -3,7 +3,7 @@ file: /etc/issue: title: RHEL-07-010050 | Must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. exists: true - contains: + contents: {{ if .Vars.rhel7stig_use_disa_banner}} - '/{{ .Vars.rhel7stig_disa_logon_banner }}/' {{ end }} diff --git a/Cat_2/RHEL-07-010063.yml b/Cat_2/RHEL-07-010063.yml index 2c339e8..05fd2d3 100644 --- a/Cat_2/RHEL-07-010063.yml +++ b/Cat_2/RHEL-07-010063.yml @@ -18,7 +18,7 @@ file: /etc/dconf/profile/gdm: title: RHEL-07-010063 | Must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. exists: true - contains: + contents: - '/^user-db:user/' - '/^system-db:gdm/' - '/^file-db:/usr/share/gdm/greeter-dconf-defaults/' diff --git a/Cat_2/RHEL-07-010199.yml b/Cat_2/RHEL-07-010199.yml index 1bee74e..1968cc5 100644 --- a/Cat_2/RHEL-07-010199.yml +++ b/Cat_2/RHEL-07-010199.yml @@ -1,5 +1,5 @@ {{ if .Vars.RHEL_07_010199 }} -file: +file: /etc/pam.d/password-auth: title: RHEL-07-010199 | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility | passwd-auth-local. exists: true @@ -30,7 +30,7 @@ file: owner: root group: root filetype: file - contains: + contents: - '/^auth\s+required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' - '/^auth\s+include password-auth-ac/' - '/^auth\s+sufficient pam_unix.so try_first_pass/' @@ -55,8 +55,7 @@ file: owner: root group: root filetype: file - contains: - contains: + contents: - '/^auth\s+required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' - '/^auth\s+include system-auth-ac/' - '/^auth\s+sufficient pam_unix.so try_first_pass/' diff --git a/Cat_2/RHEL-07-010310.yml b/Cat_2/RHEL-07-010310.yml index 7fbdacc..621f673 100644 --- a/Cat_2/RHEL-07-010310.yml +++ b/Cat_2/RHEL-07-010310.yml @@ -12,7 +12,7 @@ command: Cat: 2 CCI: CCI-000795 Group_Title: SRG-OS-000118-GPOS-00060 - Rule_ID: SV-204426r809190_rule + Rule_ID: SV-204426r928568_rule STIG_ID: RHEL-07-010310 Vul_ID: V-204426 {{ end }} diff --git a/Cat_2/RHEL-07-010500.yml b/Cat_2/RHEL-07-010500.yml index ad224dc..b099de1 100644 --- a/Cat_2/RHEL-07-010500.yml +++ b/Cat_2/RHEL-07-010500.yml @@ -4,7 +4,7 @@ file: /etc/pam_pkcs11/pkcs_eventmgr.conf: title: RHEL-07-010500 | Must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. exists: true - contains: + contents: - '/^usr/X11R6/bin/xscreensaver-command -lock/' - '/^use_pkcs11_module = cackey;/' meta: diff --git a/Cat_2/RHEL-07-020019.yml b/Cat_2/RHEL-07-020019.yml index 40520dc..e4794b2 100644 --- a/Cat_2/RHEL-07-020019.yml +++ b/Cat_2/RHEL-07-020019.yml @@ -8,7 +8,7 @@ package: Cat: 2 CCI: CCI-001263 Group_Title: SRG-OS-000480-GPOS-00227 - Rule_ID: SV-214800r754751_rule + Rule_ID: SV-214800r942888_rule STIG_ID: RHEL-07-020019 Vul_ID: V-214800 process: @@ -19,7 +19,7 @@ process: Cat: 2 CCI: CCI-001263 Group_Title: SRG-OS-000480-GPOS-00227 - Rule_ID: SV-214800r754751_rule + Rule_ID: SV-214800r942888_rule STIG_ID: RHEL-07-020019 Vul_ID: V-214800 {{ end }} diff --git a/Cat_2/RHEL-07-020020.yml b/Cat_2/RHEL-07-020020.yml index 52a6a18..b636ad2 100644 --- a/Cat_2/RHEL-07-020020.yml +++ b/Cat_2/RHEL-07-020020.yml @@ -12,7 +12,7 @@ command: - CCI-002235 - CCI-002165 Group_Title: SRG-OS-000324-GPOS-00125 - Rule_ID: SV-204444r792826_rule + Rule_ID: SV-204444r928571_rule STIG_ID: RHEL-07-020020 Vul_ID: V-204444 semanage_sysadm_u_check: @@ -29,7 +29,7 @@ command: - CCI-002235 - CCI-002165 Group_Title: SRG-OS-000324-GPOS-00125 - Rule_ID: SV-204444r792826_rule + Rule_ID: SV-204444r928571_rule STIG_ID: RHEL-07-020020 Vul_ID: V-204444 semanage_staff_u_check: @@ -46,7 +46,7 @@ command: - CCI-002235 - CCI-002165 Group_Title: SRG-OS-000324-GPOS-00125 - Rule_ID: SV-204444r754744_rule + Rule_ID: SV-204444r928571_rule STIG_ID: RHEL-07-020020 Vul_ID: V-204444 {{ end }} diff --git a/Cat_2/RHEL-07-020021.yml b/Cat_2/RHEL-07-020021.yml index 93470f6..9564054 100644 --- a/Cat_2/RHEL-07-020021.yml +++ b/Cat_2/RHEL-07-020021.yml @@ -13,7 +13,7 @@ command: - CCI-002235 - CCI-002165 Group_Title: SRG-OS-000324-GPOS-00125 - Rule_ID: SV-250312r792843_rule + Rule_ID: SV-250312r928579_rule STIG_ID: RHEL-07-020021 Vul_ID: V-250312 {{ end }} diff --git a/Cat_2/RHEL-07-020022.yml b/Cat_2/RHEL-07-020022.yml index 4f8dc11..4fba064 100644 --- a/Cat_2/RHEL-07-020022.yml +++ b/Cat_2/RHEL-07-020022.yml @@ -12,7 +12,7 @@ command: - CCI-002165 - CCI-002235 Group_Title: SRG-OS-000324-GPOS-00125 - Rule_ID: SV-250313r792846_rule + Rule_ID: SV-250313r942891_rule STIG_ID: RHEL-07-020022 Vul_ID: V-250313 {{ end }} diff --git a/Cat_2/RHEL-07-020023.yml b/Cat_2/RHEL-07-020023.yml index 70e0fc0..c173f62 100644 --- a/Cat_2/RHEL-07-020023.yml +++ b/Cat_2/RHEL-07-020023.yml @@ -15,7 +15,7 @@ command: - CCI-002165 - CCI-002235 Group_Title: SRG-OS-000324-GPOS-00125 - Rule_ID: SV-250314r861076_rule + Rule_ID: SV-250314r928582_rule STIG_ID: RHEL-07-020023 Vul_ID: V-250314 selinux_sudo_context_count: @@ -30,7 +30,7 @@ command: - CCI-002165 - CCI-002235 Group_Title: SRG-OS-000324-GPOS-00125 - Rule_ID: SV-250314r861076_rule + Rule_ID: SV-250314r928582_rule STIG_ID: RHEL-07-020023 Vul_ID: V-250314 {{ end }} diff --git a/Cat_2/RHEL-07-020029.yml b/Cat_2/RHEL-07-020029.yml index 7e489b7..c82f412 100644 --- a/Cat_2/RHEL-07-020029.yml +++ b/Cat_2/RHEL-07-020029.yml @@ -1,7 +1,8 @@ {{ if .Vars.RHEL_07_020029 }} package: - aide: + aide_installed: title: RHEL-07-020029 | Must use a file integrity tool to verify correct operation of all security functions | package + name: aide installed: true meta: Cat: 2 diff --git a/Cat_2/RHEL-07-020100.yml b/Cat_2/RHEL-07-020100.yml index d625abe..325d9a9 100644 --- a/Cat_2/RHEL-07-020100.yml +++ b/Cat_2/RHEL-07-020100.yml @@ -5,8 +5,8 @@ command: exec: grep usb-storage /etc/modprobe.d/usb-storage.conf exit-status: 0 stdout: - - '/^install usb-storage /bin/true/' - - '!/^#install usb-storage /bin/true/' + - '/^install usb-storage /bin/false/' + - '!/^install usb-storage /bin/true/' meta: Cat: 2 CCI: @@ -14,7 +14,7 @@ command: - CCI-000778 - CCI-000366 Group_Title: SRG-OS-000114-GPOS-00059 - Rule_ID: SV-204449r603261_rule + Rule_ID: SV-204449r942894_rule STIG_ID: RHEL-07-020100 Vul_ID: V-204449 usb_storage_blacklist: @@ -23,7 +23,6 @@ command: exit-status: 0 stdout: - '/^blacklist usb-storage/' - - '!/^#blacklist usb-storage/' meta: Cat: 2 CCI: @@ -31,14 +30,14 @@ command: - CCI-000778 - CCI-000366 Group_Title: SRG-OS-000114-GPOS-00059 - Rule_ID: SV-204449r603261_rule + Rule_ID: SV-204449r942894_rule STIG_ID: RHEL-07-020100 Vul_ID: V-204449 modprobe_usb-storage: title: RHEL-07-020100 | Must be configured to disable USB mass storage. | running exit-status: 0 exec: 'modprobe -n -v usb-storage' - stdout: ['install /bin/true'] + stdout: ['install /bin/false'] meta: Cat: 2 CCI: @@ -46,7 +45,7 @@ command: - CCI-000778 - CCI-000366 Group_Title: SRG-OS-000114-GPOS-00059 - Rule_ID: SV-204449r603261_rule + Rule_ID: SV-204449r942894_rule STIG_ID: RHEL-07-020100 Vul_ID: V-204449 {{ end }} diff --git a/Cat_2/RHEL-07-020101.yml b/Cat_2/RHEL-07-020101.yml index c16623d..06c2d6b 100644 --- a/Cat_2/RHEL-07-020101.yml +++ b/Cat_2/RHEL-07-020101.yml @@ -1,17 +1,17 @@ {{ if .Vars.RHEL_07_020101 }} command: - modprobe_dccp: + modprobe_dccp_module: title: RHEL-07-020101 | Must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required. exec: grep dccp /etc/modprobe.d/dccp.conf exit-status: 0 stdout: - - '/^install dccp /bin/true/' - - '!/^#install dccp /bin/true/' + - '/^install dccp /bin/false/' + - '!/^install dccp /bin/true/' meta: Cat: 2 CCI: CCI-001958 Group_Title: SRG-OS-000378-GPOS-00163 - Rule_ID: SV-204450r603261_rule + Rule_ID: SV-204450r942897_rule STIG_ID: RHEL-07-020101 Vul_ID: V-204450 dccp_blacklist: @@ -20,24 +20,23 @@ command: exit-status: 0 stdout: - '/^blacklist dccp/' - - '!/^#blacklist dccp/' meta: Cat: 2 CCI: CCI-001958 Group_Title: SRG-OS-000378-GPOS-00163 - Rule_ID: SV-204450r603261_rule + Rule_ID: SV-204450r942897_rule STIG_ID: RHEL-07-020101 Vul_ID: V-204450 - modprobe_dccp: + modprobe_dccp_loaded: title: RHEL-07-020101 | Must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required. | running exit-status: 0 exec: 'modprobe -n -v dccp' - stdout: ['install /bin/true'] + stdout: ['install /bin/false'] meta: Cat: 2 CCI: CCI-001958 Group_Title: SRG-OS-000378-GPOS-00163 - Rule_ID: SV-204450r603261_rule + Rule_ID: SV-204450r942897_rule STIG_ID: RHEL-07-020101 Vul_ID: V-204450 {{ end }} diff --git a/Cat_2/RHEL-07-020111.yml b/Cat_2/RHEL-07-020111.yml index fe9930b..2464f57 100644 --- a/Cat_2/RHEL-07-020111.yml +++ b/Cat_2/RHEL-07-020111.yml @@ -1,10 +1,10 @@ {{ if .Vars.rhel7stig_gui }} {{ if .Vars.RHEL_07_020111 }} -file: +file: /etc/dconf/db/local.d/00-No-Automount: title: RHEL-07-020111 | Must disable the graphical user interface automounter unless required. exists: true - contains: + contents: - '/^automount=false/' - '/^automount-open=false/' - '/^autorun-never=true/' diff --git a/Cat_2/RHEL-07-020210.yml b/Cat_2/RHEL-07-020210.yml index b64553d..3ef080c 100644 --- a/Cat_2/RHEL-07-020210.yml +++ b/Cat_2/RHEL-07-020210.yml @@ -12,7 +12,7 @@ command: - CCI-002696 - CCI-002165 Group_Title: SRG-OS-000445-GPOS-00199 - Rule_ID: SV-204453r754746_rule + Rule_ID: SV-204453r942900_rule STIG_ID: RHEL-07-020210 Vul_ID: V-204453 selinux_config_enforcing: @@ -29,7 +29,7 @@ command: - CCI-002696 - CCI-002165 Group_Title: SRG-OS-000445-GPOS-00199 - Rule_ID: SV-204453r754746_rule + Rule_ID: SV-204453r942900_rule STIG_ID: RHEL-07-020210 Vul_ID: V-204453 {{ end }} diff --git a/Cat_2/RHEL-07-021620.yml b/Cat_2/RHEL-07-021620.yml index 210112a..b012f01 100644 --- a/Cat_2/RHEL-07-021620.yml +++ b/Cat_2/RHEL-07-021620.yml @@ -1,8 +1,9 @@ {{ if .Vars.RHEL_07_021620 }} package: - aide: + aide_fips: title: RHEL-07-021620 | Must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. installed: true + name: aide meta: Cat: 2 CCI: CCI-000366 diff --git a/Cat_2/RHEL-07-021700.yml b/Cat_2/RHEL-07-021700.yml index 448f240..2d51328 100644 --- a/Cat_2/RHEL-07-021700.yml +++ b/Cat_2/RHEL-07-021700.yml @@ -16,7 +16,7 @@ command: - CCI-001813 - CCI-000318 Group_Title: SRG-OS-000364-GPOS-00151 - Rule_ID: SV-204501r861008_rule + Rule_ID: SV-204501r928576_rule STIG_ID: RHEL-07-021700 Vul_ID: V-204501 {{ end }} @@ -25,7 +25,7 @@ command: title: RHEL-07-021700 | Must not allow removable media to be used as the boot loader unless approved. exec: grep 'set root' /boot/grub2/grub.cfg exit-status: 0 - contains: + contents: - {{ .Vars.rhel7stig_grub_bootloader_validorder }} meta: Cat: 2 @@ -36,7 +36,7 @@ command: - CCI-001813 - CCI-000318 Group_Title: SRG-OS-000364-GPOS-00151 - Rule_ID: SV-204501r861008_rule + Rule_ID: SV-204501r928576_rule STIG_ID: RHEL-07-021700 Vul_ID: V-204501 {{ end }} diff --git a/Cat_2/RHEL-07-030201.yml b/Cat_2/RHEL-07-030201.yml index fc9b1ad..7c59d29 100644 --- a/Cat_2/RHEL-07-030201.yml +++ b/Cat_2/RHEL-07-030201.yml @@ -3,7 +3,7 @@ file: /etc/audisp/plugins.d/au-remote.conf: title: RHEL-07-030201 | Must be configured to off-load audit logs onto a different system or storage media from the system being audited. exists: true - contains: + contents: - '/^active = yes/' - '/^direction = out/' - '/^path = /sbin/audisp-remote/' diff --git a/Cat_2/RHEL-07-030630.yml b/Cat_2/RHEL-07-030630.yml index 94c827c..f4b3b16 100644 --- a/Cat_2/RHEL-07-030630.yml +++ b/Cat_2/RHEL-07-030630.yml @@ -1,11 +1,11 @@ {{ if .Vars.RHEL_07_030630 }} command: - semanage_auditd_rules: - title: RHEL-07-030630 | Must audit all uses of the semanage command. | config + password_auditd_rules: + title: RHEL-07-030630 | The Red Hat Enterprise Linux operating system must audit all uses of the passwd command. | config exec: grep -i semanage /etc/audit/rules.d/99_auditd.rules exit-status: 0 stdout: - - '/^-a always,exit -F path=/usr/sbin/semanage -F auid>={{ .Vars.rhel7stig_int_uid }} -F auid!=(4294967295|unset) -k privileged-priv_change/' + - '/^-a always,exit -F path=/usr/sbin/passwd -F auid>={{ .Vars.rhel7stig_int_uid }} -F auid!=(4294967295|unset) -k privileged-passwd/' meta: Cat: 2 CCI: @@ -16,12 +16,12 @@ command: Rule_ID: SV-204542r833121_rule STIG_ID: RHEL-07-030630 Vul_ID: V-204542 - audit_semanage_running: - title: RHEL-07-030630 | Must audit all uses of the semanage command. | running - exec: auditctl -l | grep -w "semanage" + password_semanage_running: + title: RHEL-07-030630 | The Red Hat Enterprise Linux operating system must audit all uses of the passwd command. | running + exec: auditctl -l | grep -w "/passwd" exit-status: 0 stdout: - - '/^-a always,exit -S all -F path=/usr/sbin/semanage -F auid>={{ .Vars.rhel7stig_int_uid }} -F auid!=(4294967295|unset|-1) -F key=privileged-priv_change/' + - '/^-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid> auid>={{ .Vars.rhel7stig_int_uid }} -F auid!=(4294967295|unset|-1) -F key=privileged-passwd/' meta: Cat: 2 CCI: diff --git a/Cat_2/RHEL-07-030700.yml b/Cat_2/RHEL-07-030700.yml index 6d482e2..a561685 100644 --- a/Cat_2/RHEL-07-030700.yml +++ b/Cat_2/RHEL-07-030700.yml @@ -17,7 +17,6 @@ command: Rule_ID: SV-204549r603261_rule STIG_ID: RHEL-07-030700 Vul_ID: V-204549 -command: audit_sudoers_running: title: RHEL-07-030700 | Must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. | running exec: auditctl -l | grep -w "sudoers" diff --git a/Cat_2/RHEL-07-030710.yml b/Cat_2/RHEL-07-030710.yml index cc18ed5..fa46570 100644 --- a/Cat_2/RHEL-07-030710.yml +++ b/Cat_2/RHEL-07-030710.yml @@ -17,7 +17,6 @@ command: Rule_ID: SV-204550r833142_rule STIG_ID: RHEL-07-030710 Vul_ID: V-204550 -command: audit_newgrp_running: title: RHEL-07-030710 | Must audit all uses of the newgrp command.| running exec: auditctl -l | grep -w "newgrp" diff --git a/Cat_2/RHEL-07-030740.yml b/Cat_2/RHEL-07-030740.yml index 31ff5bc..c707838 100644 --- a/Cat_2/RHEL-07-030740.yml +++ b/Cat_2/RHEL-07-030740.yml @@ -17,7 +17,6 @@ command: Rule_ID: SV-204552r833148_rule STIG_ID: RHEL-07-030740 Vul_ID: V-204552 -command: audit_mount_running: title: RHEL-07-030740 | Must audit all uses of the mount command and syscall.| running exec: auditctl -l | grep -w "mount" diff --git a/Cat_2/RHEL-07-040110.yml b/Cat_2/RHEL-07-040110.yml index 773dc55..14ae120 100644 --- a/Cat_2/RHEL-07-040110.yml +++ b/Cat_2/RHEL-07-040110.yml @@ -1,6 +1,6 @@ {{ if .Vars.RHEL_07_040110 }} command: - ciphers_sshd_config: + ciphers_sshd_config_dod: title: RHEL-07-040110 | must implement DoD-approved encryption to protect the confidentiality of SSH connections. exec: grep -i ciphers /etc/ssh/sshd_config exit-status: 0 diff --git a/Cat_2/RHEL-07-040180.yml b/Cat_2/RHEL-07-040180.yml index 587f039..02dcdd1 100644 --- a/Cat_2/RHEL-07-040180.yml +++ b/Cat_2/RHEL-07-040180.yml @@ -1,8 +1,9 @@ {{ if .Vars.rhel7stig_auth_settings.use_sssd }} {{ if .Vars.RHEL_07_040190 }} service: - sssd: + sssd_ldap_auth_comms: title: RHEL-07-040180 | Must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications. + name: sssd running: true enabled: true meta: @@ -10,7 +11,7 @@ service: CCI: CCI-001453 Group_Title: SRG-OS-000250-GPOS-00093 Rule_ID: - - SV-204581r603261_rule + - SV-204581r942906_rule STIG_ID: - RHEL-07-040180 Vul_ID: @@ -31,7 +32,7 @@ command: CCI: CCI-001453 Group_Title: SRG-OS-000250-GPOS-00093 Rule_ID: - - SV-204581r603261_rule + - SV-204581r942906_rule STIG_ID: - RHEL-07-040180 diff --git a/Cat_2/RHEL-07-040190.yml b/Cat_2/RHEL-07-040190.yml index fd61d86..8480a23 100644 --- a/Cat_2/RHEL-07-040190.yml +++ b/Cat_2/RHEL-07-040190.yml @@ -1,8 +1,9 @@ {{ if .Vars.rhel7stig_auth_settings.use_sssd }} {{ if .Vars.RHEL_07_040190 }} service: - sssd: + sssd_ldap_comms: title: RHEL-07-040190 | Must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. + name: sssd running: true enabled: true meta: @@ -10,7 +11,7 @@ service: CCI: CCI-001453 Group_Title: SRG-OS-000250-GPOS-00093 Rule_ID: - - SV-204582r603261_rule + - SV-204582r942909_rule STIG_ID: - RHEL-07-040190 Vul_ID: @@ -31,7 +32,7 @@ command: CCI: CCI-001453 Group_Title: SRG-OS-000250-GPOS-00093 Rule_ID: - - SV-204582r603261_rule + - SV-204582r942909_rule STIG_ID: - RHEL-07-040190 Vul_ID: diff --git a/Cat_2/RHEL-07-040200.yml b/Cat_2/RHEL-07-040200.yml index 459d484..7c2cad3 100644 --- a/Cat_2/RHEL-07-040200.yml +++ b/Cat_2/RHEL-07-040200.yml @@ -1,8 +1,9 @@ {{ if .Vars.rhel7stig_auth_settings.use_sssd }} {{ if .Vars.RHEL_07_040200 }} service: - sssd: + sssd_peer_x509: title: RHEL-07-040200 | Must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. + name: sssd running: true enabled: true meta: @@ -12,7 +13,7 @@ service: Rule_ID: - SV-204581r603261_rule - SV-204582r603261_rule - - SV-204583r603261_rule + - SV-204583r942912_rule STIG_ID: - RHEL-07-040180 - RHEL-07-040190 @@ -37,7 +38,7 @@ command: CCI: CCI-001453 Group_Title: SRG-OS-000250-GPOS-00093 Rule_ID: - - SV-204583r603261_rule + - SV-204583r942912_rule STIG_ID: - RHEL-07-040200 Vul_ID: diff --git a/Cat_2/RHEL-07-040201.yml b/Cat_2/RHEL-07-040201.yml index ebc3536..4d021fe 100644 --- a/Cat_2/RHEL-07-040201.yml +++ b/Cat_2/RHEL-07-040201.yml @@ -14,7 +14,7 @@ file: /proc/sys/kernel/randomize_va_space: title: RHEL-07-040201 | Must implement virtual address space randomization. exists: true - contains: + contents: - '2' meta: Cat: 2 diff --git a/Cat_2/RHEL-07-040500.yml b/Cat_2/RHEL-07-040500.yml index d8fdd5a..b7233b5 100644 --- a/Cat_2/RHEL-07-040500.yml +++ b/Cat_2/RHEL-07-040500.yml @@ -4,7 +4,7 @@ file: /etc/ntp.conf: title: RHEL-07-040500 | Must for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). exists: true - contains: + contents: - '/^maxpoll ([0-9]|1[0-6])/' meta: Cat: 2 @@ -20,7 +20,7 @@ file: /etc/chrony.conf: title: RHEL-07-040500 | Must for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). exists: true - contains: + contents: - '/server\s.*maxpoll ([0-9]|1[0-6])$/' meta: Cat: 2 diff --git a/Cat_2/RHEL-07-040712.yml b/Cat_2/RHEL-07-040712.yml index 45c2bf1..7e2095c 100644 --- a/Cat_2/RHEL-07-040712.yml +++ b/Cat_2/RHEL-07-040712.yml @@ -1,6 +1,6 @@ {{ if .Vars.RHEL_07_040712 }} command: - ciphers_sshd_config: + ciphers_sshd_config_fips: title: RHEL-07-040712 | The Red Hat Enterprise Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms. exec: grep -i kex /etc/ssh/sshd_config exit-status: 0 diff --git a/Cat_2/RHEL-07-040720.yml b/Cat_2/RHEL-07-040720.yml index 6a11ccd..d1d6377 100644 --- a/Cat_2/RHEL-07-040720.yml +++ b/Cat_2/RHEL-07-040720.yml @@ -4,7 +4,7 @@ file: /etc/xinetd.d/tftp: title: RHEL-07-040720 | Must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode. exists: true - contains: + contents: - '/^server_args = -s /var/lib/tftpboot/' meta: Cat: 2 diff --git a/Cat_3/RHEL-07-021600.yml b/Cat_3/RHEL-07-021600.yml index c78715b..e08c1c1 100644 --- a/Cat_3/RHEL-07-021600.yml +++ b/Cat_3/RHEL-07-021600.yml @@ -1,7 +1,8 @@ {{ if .Vars.RHEL_07_021600 }} package: - aide: + aide_acls: title: RHEL-07-021600 | Must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs). | Aide Installed + name: aide installed: true meta: Cat: 3 diff --git a/Cat_3/RHEL-07-040600.yml b/Cat_3/RHEL-07-040600.yml index df88186..7a53de2 100644 --- a/Cat_3/RHEL-07-040600.yml +++ b/Cat_3/RHEL-07-040600.yml @@ -3,7 +3,7 @@ file: /etc/resolv.conf: title: RHEL-07-040600 | Using DNS resolution, at least two name servers must be configured. exists: true - contains: + contents: {{ range .Vars.rhel7stig_nameservers }} - 'nameserver {{ . }}' {{ end }} diff --git a/Changelog.md b/Changelog.md index af7628f..0e5abbc 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,16 @@ # changelog +## Stig v3r13 25th Oct 2023 + +updated run_audit script + +- RHEL_07_010310 - ruleid updated and INACTIVE var created +- RHEL_07_020020 - ruleid +- RHEL_07_020021 - ruleid +- RHEL_07_020023 - ruleid +- RHEL_07_020230 - ruleid +- RHEL_07_021700 - ruleid + ## Stig V3R12 26th July 2023 - Sept23 updated run_audit script, enhanced and allowed testing of goss version diff --git a/README.md b/README.md index c00628f..9b02c1c 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Overview -based on STIG Version 3 Release 10 - 26th Jan 2023 +based on STIG Version 3 Release 14 - 24th Jan 2024 Set of configuration files and directories to audit STIG of RHEL/CentOS 7 servers This is configured in a directory structure level. diff --git a/run_audit.sh b/run_audit.sh index ca51cce..786486e 100755 --- a/run_audit.sh +++ b/run_audit.sh @@ -21,7 +21,7 @@ # Goss benchmark variables (these should not need changing unless new release) BENCHMARK=STIG # Benchmark Name aligns to the audit -BENCHMARK_VER=v3r12 +BENCHMARK_VER=v3r14 BENCHMARK_OS=RHEL7 # Goss host Variables @@ -83,7 +83,7 @@ fi if [ "$(grep -Ec "rhel|oracle" /etc/os-release)" != 0 ]; then os_vendor="RHEL" else - os_vendor="$(hostnamectl | grep Oper | cut -d : -f2 | awk '{print $1}' | tr '[:lower:]')" + os_vendor="$(hostnamectl | grep Oper | cut -d : -f2 | awk '{print $1}' | tr '[:lower:]' '[:upper:]' )" fi os_maj_ver="$(grep -w VERSION_ID= /etc/os-release | awk -F\" '{print $2}' | cut -d '.' -f1)" @@ -200,7 +200,7 @@ $AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path" --vars-in # create screen output if [ "$(grep -c $BENCHMARK "$audit_out")" != 0 ] || [ "$format" = junit ] || [ "$format" = tap ]; then eval $output_summary - echo " Completed file can be found at $audit_out" + echo "Completed file can be found at $audit_out" echo "###############" echo "Audit Completed" echo "###############" diff --git a/vars/STIG.yml b/vars/STIG.yml index f27b9f5..b3cf2a5 100644 --- a/vars/STIG.yml +++ b/vars/STIG.yml @@ -1,11 +1,11 @@ ## metadata for Audit benchmark -benchmark_version: 'v3.11' +benchmark_version: 'v3.14' ### Variables for for stig options # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact run_heavy_tests: true -timeout_ms: 60000 +timeout_ms: 120000 # set to redhat/centos/oracle rhel8stig_os_distribution: redhat