From c7694591d0d0fb81ee0b41854cd3af8ef422d259 Mon Sep 17 00:00:00 2001 From: MITRE SAF Date: Fri, 12 Jul 2024 00:05:59 +0000 Subject: [PATCH] Automated ingestion of profiles Signed-off-by: MITRE SAF --- ...dhat-enterprise-linux-8-stig-baseline.json | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json index ca81f608..38248f22 100644 --- a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json +++ b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json @@ -318,7 +318,7 @@ ], "host": null }, - "code": "control 'SV-230545' do\n title 'RHEL 8 must disable access to network bpf syscall from unprivileged\nprocesses.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:\n\n$ sudo sysctl kernel.unprivileged_bpf_disabled\n\nkernel.unprivileged_bpf_disabled = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1\n\nIf \"kernel.unprivileged_bpf_disabled\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.unprivileged_bpf_disabled = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230545'\n tag rid: 'SV-230545r858822_rule'\n tag stig_id: 'RHEL-08-040281'\n tag fix_id: 'F-33189r858821_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.unprivileged_bpf_disabled'\n action = 'bpf syscall from unprivileged processes'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230545' do\n title 'RHEL 8 must disable access to network bpf syscall from unprivileged\nprocesses.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands:\n\n$ sudo sysctl kernel.unprivileged_bpf_disabled\n\nkernel.unprivileged_bpf_disabled = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1\n\nIf \"kernel.unprivileged_bpf_disabled\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.unprivileged_bpf_disabled = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230545'\n tag rid: 'SV-230545r858822_rule'\n tag stig_id: 'RHEL-08-040281'\n tag fix_id: 'F-33189r858821_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.unprivileged_bpf_disabled'\n action = 'bpf syscall from unprivileged processes'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230545.rb", "line": 1 @@ -1558,7 +1558,7 @@ "host": null, "container": null }, - "code": "control 'SV-251714' do\n title 'RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.'\n desc 'check', 'Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth file with the following command:\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3'\n impact 0.5\n tag check_id: 'C-55151r902741_chk'\n tag severity: 'medium'\n tag gid: 'V-251714'\n tag rid: 'SV-251714r902743_rule'\n tag stig_id: 'RHEL-08-020102'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55105r902742_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n only_if('This requirement only applies to RHEL 8 versions below 8.4', impact: 0.0) do\n os.release.to_f < 8.4\n end\n\n describe pam_auth_files['system-auth'] do\n its('lines') { should match_pam_rule('.* .* pam_pwquality.so').any_with_integer_arg('retry', '>=', input('min_retry')) }\n end\nend\n", + "code": "control 'SV-251714' do\n title 'RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.'\n desc 'check', 'Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the system-auth file with the following command:\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/system-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3'\n impact 0.5\n tag check_id: 'C-55151r902741_chk'\n tag severity: 'medium'\n tag gid: 'V-251714'\n tag rid: 'SV-251714r902743_rule'\n tag stig_id: 'RHEL-08-020102'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55105r902742_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n pam_auth_files = input('pam_auth_files')\n\n only_if('This requirement only applies to RHEL 8 versions below 8.4', impact: 0.0) do\n os.release.to_f < 8.4\n end\n\n describe pam(pam_auth_files['system-auth']) do\n its('lines') { should match_pam_rule('.* .* pam_pwquality.so').any_with_integer_arg('retry', '>=', input('min_retry')) }\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-251714.rb", "line": 1 @@ -2265,7 +2265,7 @@ ], "host": null }, - "code": "control 'SV-230543' do\n title 'RHEL 8 must not allow interfaces to perform Internet Control Message\nProtocol (ICMP) redirects by default.'\n desc %q(ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf)\n desc 'check', 'Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nCheck the value of the \"default send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.send_redirects = 0\n\nIf \"net.ipv4.conf.default.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.send_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230543'\n tag rid: 'SV-230543r858816_rule'\n tag stig_id: 'RHEL-08-040270'\n tag fix_id: 'F-33187r858815_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.send_redirects'\n action = 'IPv4 packet redirects for interfaces'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230543' do\n title 'RHEL 8 must not allow interfaces to perform Internet Control Message\nProtocol (ICMP) redirects by default.'\n desc %q(ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf)\n desc 'check', 'Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nCheck the value of the \"default send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.send_redirects\n\nnet.ipv4.conf.default.send_redirects=0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.send_redirects = 0\n\nIf \"net.ipv4.conf.default.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.send_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230543'\n tag rid: 'SV-230543r858816_rule'\n tag stig_id: 'RHEL-08-040270'\n tag fix_id: 'F-33187r858815_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.send_redirects'\n action = 'IPv4 packet redirects for interfaces'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230543.rb", "line": 1 @@ -3214,7 +3214,7 @@ ], "host": null }, - "code": "control 'SV-230548' do\n title 'RHEL 8 must disable the use of user namespaces.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 disables the use of user namespaces with the following commands:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\n$ sudo sysctl user.max_user_namespaces\n\nuser.max_user_namespaces = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0\n\nIf \"user.max_user_namespaces\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\nuser.max_user_namespaces = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230548'\n tag rid: 'SV-230548r858828_rule'\n tag stig_id: 'RHEL-08-040284'\n tag fix_id: 'F-33192r858827_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'user.max_user_namespaces'\n action = 'user namespaces'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230548' do\n title 'RHEL 8 must disable the use of user namespaces.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 disables the use of user namespaces with the following commands:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\n$ sudo sysctl user.max_user_namespaces\n\nuser.max_user_namespaces = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0\n\nIf \"user.max_user_namespaces\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\nuser.max_user_namespaces = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230548'\n tag rid: 'SV-230548r858828_rule'\n tag stig_id: 'RHEL-08-040284'\n tag fix_id: 'F-33192r858827_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'user.max_user_namespaces'\n action = 'user namespaces'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230548.rb", "line": 1 @@ -3604,7 +3604,7 @@ ], "host": null }, - "code": "control 'SV-230539' do\n title 'RHEL 8 must not forward IPv6 source-routed packets by default.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv6 source-routed packets by default.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_source_route\n\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0\n\nIf \"net.ipv6.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv6 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230539'\n tag rid: 'SV-230539r861085_rule'\n tag stig_id: 'RHEL-08-040250'\n tag fix_id: 'F-33183r858805_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_source_route'\n action = 'forwarding IPv6 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230539' do\n title 'RHEL 8 must not forward IPv6 source-routed packets by default.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv6 source-routed packets by default.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_source_route\n\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0\n\nIf \"net.ipv6.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv6 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230539'\n tag rid: 'SV-230539r861085_rule'\n tag stig_id: 'RHEL-08-040250'\n tag fix_id: 'F-33183r858805_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_source_route'\n action = 'forwarding IPv6 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230539.rb", "line": 1 @@ -3670,7 +3670,7 @@ ], "host": null }, - "code": "control 'SV-250317' do\n title 'RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.'\n desc 'Routing protocol daemons are typically used on routers to exchange network\n topology information with other routers. If this software is used when not required,\n system network information may be unnecessarily transmitted across the network.\n\n The sysctl --system command will load settings from all system configuration files.\n\n All configuration files are sorted by their filename in lexicographic order, regardless\n of which of the directories they reside in. If multiple files specify the same option,\n the entry in the file with the lexicographically latest name will take precedence.\n\n Files are read from directories in the following list from top to bottom. Once a file of a\n given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.\n\nCheck that IPv4 forwarding is disabled using the following command:\n\n$ sudo sysctl net.ipv4.conf.all.forwarding\n\nnet.ipv4.conf.all.forwarding = 0\nIf the IPv4 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0\n\nIf \"net.ipv4.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router.\n\n Add or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\n net.ipv4.conf.all.forwarding=0\n\n Remove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf\n /etc/sysctl.d/*.conf\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system'\n impact 0.5\n tag check_id: 'C-53751r833382_chk'\n tag severity: 'medium'\n tag gid: 'V-250317'\n tag rid: 'SV-250317r858808_rule'\n tag stig_id: 'RHEL-08-040259'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-53705r858807_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.forwarding'\n action = 'IPv4 packet forwarding'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-250317' do\n title 'RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.'\n desc 'Routing protocol daemons are typically used on routers to exchange network\n topology information with other routers. If this software is used when not required,\n system network information may be unnecessarily transmitted across the network.\n\n The sysctl --system command will load settings from all system configuration files.\n\n All configuration files are sorted by their filename in lexicographic order, regardless\n of which of the directories they reside in. If multiple files specify the same option,\n the entry in the file with the lexicographically latest name will take precedence.\n\n Files are read from directories in the following list from top to bottom. Once a file of a\n given filename is loaded, any file of the same name in subsequent directories is ignored.\n\n /etc/sysctl.d/*.conf\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router.\n\nCheck that IPv4 forwarding is disabled using the following command:\n\n$ sudo sysctl net.ipv4.conf.all.forwarding\n\nnet.ipv4.conf.all.forwarding = 0\nIf the IPv4 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0\n\nIf \"net.ipv4.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router.\n\n Add or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\n net.ipv4.conf.all.forwarding=0\n\n Remove any configurations that conflict with the above from the following locations:\n /run/sysctl.d/*.conf\n /usr/local/lib/sysctl.d/*.conf\n /usr/lib/sysctl.d/*.conf\n /lib/sysctl.d/*.conf\n /etc/sysctl.conf\n /etc/sysctl.d/*.conf\n\n Load settings from all system configuration files with the following command:\n\n $ sudo sysctl --system'\n impact 0.5\n tag check_id: 'C-53751r833382_chk'\n tag severity: 'medium'\n tag gid: 'V-250317'\n tag rid: 'SV-250317r858808_rule'\n tag stig_id: 'RHEL-08-040259'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-53705r858807_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.forwarding'\n action = 'IPv4 packet forwarding'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-250317.rb", "line": 1 @@ -4399,7 +4399,7 @@ ], "host": null }, - "code": "control 'SV-244552' do\n title 'RHEL 8 must not forward IPv4 source-routed packets by default.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv4 source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv4 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244552'\n tag rid: 'SV-244552r858803_rule'\n tag stig_id: 'RHEL-08-040249'\n tag fix_id: 'F-47784r858802_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.accept_source_route'\n action = 'IPv4 source-routed packets default'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-244552' do\n title 'RHEL 8 must not forward IPv4 source-routed packets by default.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv4 source-routed packets by default.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_source_route\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0\n\nIf \"net.ipv4.conf.default.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv4 source-routed packets by default.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244552'\n tag rid: 'SV-244552r858803_rule'\n tag stig_id: 'RHEL-08-040249'\n tag fix_id: 'F-47784r858802_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.accept_source_route'\n action = 'IPv4 source-routed packets default'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-244552.rb", "line": 1 @@ -4597,7 +4597,7 @@ ], "host": null }, - "code": "control 'SV-230544' do\n title 'RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP)\nredirect messages.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 ignores IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_redirects\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0\n\nIf \"net.ipv6.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to ignore IPv6 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230544'\n tag rid: 'SV-230544r858820_rule'\n tag stig_id: 'RHEL-08-040280'\n tag fix_id: 'F-33188r858819_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_redirect'\n action = 'accepting IPv6 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230544' do\n title 'RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP)\nredirect messages.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 ignores IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_redirects\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0\n\nIf \"net.ipv6.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to ignore IPv6 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230544'\n tag rid: 'SV-230544r858820_rule'\n tag stig_id: 'RHEL-08-040280'\n tag fix_id: 'F-33188r858819_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_redirect'\n action = 'accepting IPv6 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230544.rb", "line": 1 @@ -4662,7 +4662,7 @@ ], "host": null }, - "code": "control 'SV-230537' do\n title 'RHEL 8 must not respond to Internet Control Message Protocol (ICMP)\nechoes sent to a broadcast address.'\n desc 'Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.\n\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or the retuned line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf \"net.ipv4.icmp_echo_ignore_broadcasts\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230537'\n tag rid: 'SV-230537r858797_rule'\n tag stig_id: 'RHEL-08-040230'\n tag fix_id: 'F-33181r858796_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.icmp_echo_ignore_broadcasts'\n action = 'IPv4 broadcasts'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230537' do\n title 'RHEL 8 must not respond to Internet Control Message Protocol (ICMP)\nechoes sent to a broadcast address.'\n desc 'Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address.\n\nCheck the value of the \"icmp_echo_ignore_broadcasts\" variable with the following command:\n\n$ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf the returned line does not have a value of \"1\", a line is not returned, or the retuned line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1\n\nIf \"net.ipv4.icmp_echo_ignore_broadcasts\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230537'\n tag rid: 'SV-230537r858797_rule'\n tag stig_id: 'RHEL-08-040230'\n tag fix_id: 'F-33181r858796_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.icmp_echo_ignore_broadcasts'\n action = 'IPv4 broadcasts'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230537.rb", "line": 1 @@ -5071,7 +5071,7 @@ ], "host": null }, - "code": "control 'SV-230547' do\n title 'RHEL 8 must restrict exposed kernel pointer addresses access.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:\n\n$ sudo sysctl kernel.kptr_restrict\n\nkernel.kptr_restrict = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1\n\nIf \"kernel.kptr_restrict\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.kptr_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230547'\n tag rid: 'SV-230547r858826_rule'\n tag stig_id: 'RHEL-08-040283'\n tag fix_id: 'F-33191r858825_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.kptr_restrict'\n action = 'kernel pointer addresses'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230547' do\n title 'RHEL 8 must restrict exposed kernel pointer addresses access.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands:\n\n$ sudo sysctl kernel.kptr_restrict\n\nkernel.kptr_restrict = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1\n\nIf \"kernel.kptr_restrict\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.kptr_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230547'\n tag rid: 'SV-230547r858826_rule'\n tag stig_id: 'RHEL-08-040283'\n tag fix_id: 'F-33191r858825_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.kptr_restrict'\n action = 'kernel pointer addresses'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230547.rb", "line": 1 @@ -5519,7 +5519,7 @@ ], "host": null }, - "code": "control 'SV-244554' do\n title 'RHEL 8 must enable hardening for the Berkeley Packet Filter\nJust-in-time compiler.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \"2\" enables JIT hardening for all users.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 enables hardening for the BPF JIT with the following commands:\n\n$ sudo sysctl net.core.bpf_jit_harden\n\nnet.core.bpf_jit_harden = 2\n\nIf the returned line does not have a value of \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2\n\nIf \"net.core.bpf_jit_harden\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.core.bpf_jit_harden = 2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244554'\n tag rid: 'SV-244554r858832_rule'\n tag stig_id: 'RHEL-08-040286'\n tag fix_id: 'F-47786r858831_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.core.bpf_jit_harden'\n action = 'BPF JIT compiler'\n value = 2\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-244554' do\n title 'RHEL 8 must enable hardening for the Berkeley Packet Filter\nJust-in-time compiler.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nEnabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to \"2\" enables JIT hardening for all users.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 enables hardening for the BPF JIT with the following commands:\n\n$ sudo sysctl net.core.bpf_jit_harden\n\nnet.core.bpf_jit_harden = 2\n\nIf the returned line does not have a value of \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2\n\nIf \"net.core.bpf_jit_harden\" is not set to \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.core.bpf_jit_harden = 2\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244554'\n tag rid: 'SV-244554r858832_rule'\n tag stig_id: 'RHEL-08-040286'\n tag fix_id: 'F-47786r858831_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.core.bpf_jit_harden'\n action = 'BPF JIT compiler'\n value = 2\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-244554.rb", "line": 1 @@ -6075,7 +6075,7 @@ ], "host": null }, - "code": "control 'SV-230530' do\n title 'The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a\ngraphical user interface is installed.'\n desc 'A locally logged-on user, who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.'\n desc 'check', %q(Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed when using a graphical user interface with the following command:\n\n This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo grep logout /etc/dconf/db/local.d/*\n\n logout=''\n\n If the \"logout\" key is bound to an action, is commented out, or is\nmissing, this is a finding.)\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a\ngraphical user interface by creating or editing the\n/etc/dconf/db/local.d/00-disable-CAD file.\n\n Add the setting to disable the Ctrl-Alt-Delete sequence for a graphical\nuser interface:\n\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''\n\n Note: The value above is set to two single quotations.\n\n Then update the dconf settings:\n\n $ sudo dconf update\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230530'\n tag rid: 'SV-230530r646883_rule'\n tag stig_id: 'RHEL-08-040171'\n tag fix_id: 'F-33174r568337_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if package('gnome-desktop3').installed?\n describe command('grep logout /etc/dconf/db/local.d/*') do\n its('stdout.strip') { should cmp \"logout=''\" }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", + "code": "control 'SV-230530' do\n title 'The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a\ngraphical user interface is installed.'\n desc 'A locally logged-on user, who presses Ctrl-Alt-Delete, when at the\nconsole, can reboot the system. If accidentally pressed, as could happen in the\ncase of a mixed OS environment, this can create the risk of short-term loss of\navailability of systems due to unintentional reboot. In a graphical user\nenvironment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is\nreduced because the user will be prompted before any action is taken.'\n desc 'check', %q(Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete\nis pressed when using a graphical user interface with the following command:\n\n This requirement assumes the use of the RHEL 8 default graphical user\ninterface, Gnome Shell. If the system does not have any graphical user\ninterface installed, this requirement is Not Applicable.\n\n $ sudo grep logout /etc/dconf/db/local.d/*\n\n logout=''\n\n If the \"logout\" key is bound to an action, is commented out, or is\nmissing, this is a finding.)\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a\ngraphical user interface by creating or editing the\n/etc/dconf/db/local.d/00-disable-CAD file.\n\n Add the setting to disable the Ctrl-Alt-Delete sequence for a graphical\nuser interface:\n\n [org/gnome/settings-daemon/plugins/media-keys]\n logout=''\n\n Note: The value above is set to two single quotations.\n\n Then update the dconf settings:\n\n $ sudo dconf update\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230530'\n tag rid: 'SV-230530r646883_rule'\n tag stig_id: 'RHEL-08-040171'\n tag fix_id: 'F-33174r568337_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n if package('gnome-desktop3').installed?\n describe command('grep ^logout /etc/dconf/db/local.d/*') do\n its('stdout.strip') { should match(/logout=''/) }\n end\n else\n impact 0.0\n describe 'The system does not have GNOME installed' do\n skip \"The system does not have GNOME installed, this requirement is Not\n Applicable.\"\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230530.rb", "line": 1 @@ -6928,7 +6928,7 @@ ], "host": null }, - "code": "control 'SV-230549' do\n title 'RHEL 8 must use reverse path filtering on all IPv4 interfaces.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:\n\n$ sudo sysctl net.ipv4.conf.all.rp_filter\n\nnet.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.ipv4.conf.all.rp_filter = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230549'\n tag rid: 'SV-230549r858830_rule'\n tag stig_id: 'RHEL-08-040285'\n tag fix_id: 'F-33193r858829_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.rp_filter'\n action = 'IPv4 reverse path filtering'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230549' do\n title 'RHEL 8 must use reverse path filtering on all IPv4 interfaces.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands:\n\n$ sudo sysctl net.ipv4.conf.all.rp_filter\n\nnet.ipv4.conf.all.rp_filter = 1\n\nIf the returned line does not have a value of \"1\" or \"2\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1\n\nIf \"net.ipv4.conf.all.rp_filter\" is not set to \"1\" or \"2\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nnet.ipv4.conf.all.rp_filter = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230549'\n tag rid: 'SV-230549r858830_rule'\n tag stig_id: 'RHEL-08-040285'\n tag fix_id: 'F-33193r858829_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.rp_filter'\n action = 'IPv4 reverse path filtering'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230549.rb", "line": 1 @@ -7249,7 +7249,7 @@ ], "host": null }, - "code": "control 'SV-230546' do\n title 'RHEL 8 must restrict usage of ptrace to descendant processes.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:\n\n$ sudo sysctl kernel.yama.ptrace_scope\n\nkernel.yama.ptrace_scope = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1\n\nIf \"kernel.yama.ptrace_scope\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.yama.ptrace_scope = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230546'\n tag rid: 'SV-230546r858824_rule'\n tag stig_id: 'RHEL-08-040282'\n tag fix_id: 'F-33190r858823_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.yama.ptrace_scope'\n action = 'usage of ptrace'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230546' do\n title 'RHEL 8 must restrict usage of ptrace to descendant processes.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:\n\n$ sudo sysctl kernel.yama.ptrace_scope\n\nkernel.yama.ptrace_scope = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1\n\nIf \"kernel.yama.ptrace_scope\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nkernel.yama.ptrace_scope = 1\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230546'\n tag rid: 'SV-230546r858824_rule'\n tag stig_id: 'RHEL-08-040282'\n tag fix_id: 'F-33190r858823_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'kernel.yama.ptrace_scope'\n action = 'usage of ptrace'\n value = 1\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230546.rb", "line": 1 @@ -7684,7 +7684,7 @@ "host": null, "container": null }, - "code": "control 'SV-230318' do\n title 'All RHEL 8 world-writable directories must be owned by root, sys, bin,\nor an application user.'\n desc 'If a world-writable directory is not owned by root, sys, bin, or an\napplication User Identifier (UID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories\nthat are not owned by a system account, given the assumption that only system\naccounts have a uid lower than 1000. Run it once for each local partition\n[PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print\n\n If there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable\nshould be owned by root or another system account. If any world-writable\ndirectories are not owned by a system account, this should be investigated.\nFollowing this, the files should be deleted or assigned to an appropriate\ngroup.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230318'\n tag rid: 'SV-230318r743960_rule'\n tag stig_id: 'RHEL-08-010700'\n tag fix_id: 'F-32962r567701_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n\n cmd = \"find #{partitions.join(' ')} -xdev -type d -perm -0002 -uid +999 -print\"\n failing_dirs = command(cmd).stdout.split(\"\\n\").uniq\n\n describe 'Any world-writeable directories' do\n it 'should be owned by system accounts' do\n expect(failing_dirs).to be_empty, \"Failing directories:\\n\\t- #{failing_dirs.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230318' do\n title 'All RHEL 8 world-writable directories must be owned by root, sys, bin,\nor an application user.'\n desc 'If a world-writable directory is not owned by root, sys, bin, or an\napplication User Identifier (UID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories\nthat are not owned by a system account, given the assumption that only system\naccounts have a uid lower than 1000. Run it once for each local partition\n[PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print\n\n If there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable\nshould be owned by root or another system account. If any world-writable\ndirectories are not owned by a system account, this should be investigated.\nFollowing this, the files should be deleted or assigned to an appropriate\ngroup.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230318'\n tag rid: 'SV-230318r743960_rule'\n tag stig_id: 'RHEL-08-010700'\n tag fix_id: 'F-32962r567701_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n\n cmd = \"find #{partitions.join(' ')} -xdev -type d -perm -0002 -uid +999 -print\"\n failing_dirs = command(cmd).stdout.split(\"\\n\").uniq\n\n describe 'Any world-writeable directories' do\n it 'should be owned by system accounts' do\n expect(failing_dirs).to be_empty, \"Failing directories:\\n\\t- #{failing_dirs.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230318.rb", "line": 1 @@ -7757,7 +7757,7 @@ ], "host": null }, - "code": "control 'SV-230535' do\n title 'RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 will not accept IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_redirects\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0\n\nIf \"net.ipv6.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230535'\n tag rid: 'SV-230535r858793_rule'\n tag stig_id: 'RHEL-08-040210'\n tag fix_id: 'F-33179r858792_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_redirects'\n action = 'accepting IPv6 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230535' do\n title 'RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 will not accept IPv6 ICMP redirect messages.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_redirects\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0\n\nIf \"net.ipv6.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230535'\n tag rid: 'SV-230535r858793_rule'\n tag stig_id: 'RHEL-08-040210'\n tag fix_id: 'F-33179r858792_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_redirects'\n action = 'accepting IPv6 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230535.rb", "line": 1 @@ -8687,7 +8687,7 @@ ], "host": null }, - "code": "control 'SV-230541' do\n title 'RHEL 8 must not accept router advertisements on all IPv6 interfaces.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by using the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_ra\n\nnet.ipv6.conf.all.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0\n\nIf \"net.ipv6.conf.all.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230541'\n tag rid: 'SV-230541r858812_rule'\n tag stig_id: 'RHEL-08-040261'\n tag fix_id: 'F-33185r858811_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_ra'\n action = 'IPv6 router advertisements'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230541' do\n title 'RHEL 8 must not accept router advertisements on all IPv6 interfaces.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by using the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_ra\n\nnet.ipv6.conf.all.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0\n\nIf \"net.ipv6.conf.all.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230541'\n tag rid: 'SV-230541r858812_rule'\n tag stig_id: 'RHEL-08-040261'\n tag fix_id: 'F-33185r858811_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_ra'\n action = 'IPv6 router advertisements'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230541.rb", "line": 1 @@ -9561,7 +9561,7 @@ "host": null, "container": null }, - "code": "control 'SV-230257' do\n title 'RHEL 8 system commands must have mode 755 or less permissive.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system commands contained in the following directories have mode \"755\" or less permissive with the following command:\n\n$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \\\\;\n\nIf any system commands are found to be group-writable or world-writable, this is a finding.'\n desc 'fix', 'Configure the system commands to be protected from unauthorized access.\n\nRun the following command, replacing \"[FILE]\" with any system command with a mode more permissive than \"755\".\n\n$ sudo chmod 755 [FILE]'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230257'\n tag rid: 'SV-230257r792862_rule'\n tag stig_id: 'RHEL-08-010300'\n tag fix_id: 'F-32901r792861_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n system_command_dirs = input('system_command_dirs').join(' ')\n\n failing_files = command(\"find -L #{system_command_dirs} -perm /0022 -exec ls -l '{}' \\\\;\").stdout.split(\"\\n\")\n \n # failing_files = command(\"find -L #{input('system_command_dirs').join(' ')} -perm /0022 -exec ls -d '{}'' \\\\;\").stdout.split(\"\\n\")\n\n describe 'System commands' do\n it \"should have mode '0755' or less permissive\" do\n expect(failing_files).to be_empty, \"Files with excessive permissions:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230257' do\n title 'RHEL 8 system commands must have mode 755 or less permissive.'\n desc 'If RHEL 8 were to allow any user to make changes to software\nlibraries, then those changes might be implemented without undergoing the\nappropriate testing and approvals that are part of a robust change management\nprocess.\n\n This requirement applies to RHEL 8 with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software\nlibraries also include privileged programs that execute with escalated\nprivileges. Only qualified and authorized individuals will be allowed to obtain\naccess to information system components for purposes of initiating changes,\nincluding upgrades and modifications.'\n desc 'check', 'Verify the system commands contained in the following directories have mode \"755\" or less permissive with the following command:\n\n$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \\\\;\n\nIf any system commands are found to be group-writable or world-writable, this is a finding.'\n desc 'fix', 'Configure the system commands to be protected from unauthorized access.\n\nRun the following command, replacing \"[FILE]\" with any system command with a mode more permissive than \"755\".\n\n$ sudo chmod 755 [FILE]'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000259-GPOS-00100'\n tag gid: 'V-230257'\n tag rid: 'SV-230257r792862_rule'\n tag stig_id: 'RHEL-08-010300'\n tag fix_id: 'F-32901r792861_fix'\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host'\n tag 'container'\n\n system_command_dirs = input('system_command_dirs').join(' ')\n\n failing_files = command(\"find -L #{system_command_dirs} -perm /0022 -exec ls -l '{}' \\\\;\").stdout.split(\"\\n\")\n\n # failing_files = command(\"find -L #{input('system_command_dirs').join(' ')} -perm /0022 -exec ls -d '{}'' \\\\;\").stdout.split(\"\\n\")\n\n describe 'System commands' do\n it \"should have mode '0755' or less permissive\" do\n expect(failing_files).to be_empty, \"Files with excessive permissions:\\n\\t- #{failing_files.join(\"\\n\\t- \")}\"\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230257.rb", "line": 1 @@ -9932,7 +9932,7 @@ ], "host": null }, - "code": "control 'SV-230540' do\n title 'RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck that IPv6 forwarding is disabled using the following commands:\n\n$ sudo sysctl net.ipv6.conf.all.forwarding\n\nnet.ipv6.conf.all.forwarding = 0\n\nIf the IPv6 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0\n\nIf \"net.ipv6.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.forwarding=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230540'\n tag rid: 'SV-230540r858810_rule'\n tag stig_id: 'RHEL-08-040260'\n tag fix_id: 'F-33184r858809_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.forwarding'\n action = 'IPv6 packet forwarding'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230540' do\n title 'RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck that IPv6 forwarding is disabled using the following commands:\n\n$ sudo sysctl net.ipv6.conf.all.forwarding\n\nnet.ipv6.conf.all.forwarding = 0\n\nIf the IPv6 forwarding value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0\n\nIf \"net.ipv6.conf.all.forwarding\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.forwarding=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230540'\n tag rid: 'SV-230540r858810_rule'\n tag stig_id: 'RHEL-08-040260'\n tag fix_id: 'F-33184r858809_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.forwarding'\n action = 'IPv6 packet forwarding'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230540.rb", "line": 1 @@ -10443,7 +10443,7 @@ ], "host": null }, - "code": "control 'SV-244553' do\n title 'RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 ignores IPv4 ICMP redirect messages.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0\n\nIf \"net.ipv4.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to ignore IPv4 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244553'\n tag rid: 'SV-244553r858818_rule'\n tag stig_id: 'RHEL-08-040279'\n tag fix_id: 'F-47785r858817_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.accept_redirects'\n action = 'IPv4 redirect messages'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-244553' do\n title 'RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 ignores IPv4 ICMP redirect messages.\n\nCheck the value of the \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_redirects\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0\n\nIf \"net.ipv4.conf.all.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to ignore IPv4 ICMP redirect messages.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244553'\n tag rid: 'SV-244553r858818_rule'\n tag stig_id: 'RHEL-08-040279'\n tag fix_id: 'F-47785r858817_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.accept_redirects'\n action = 'IPv4 redirect messages'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-244553.rb", "line": 1 @@ -11188,7 +11188,7 @@ "host": null, "container": null }, - "code": "control 'SV-251715' do\n title 'RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.'\n desc 'check', 'Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3'\n impact 0.5\n tag check_id: 'C-55152r902744_chk'\n tag severity: 'medium'\n tag gid: 'V-251715'\n tag rid: 'SV-251715r902746_rule'\n tag stig_id: 'RHEL-08-020103'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55106r902745_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n only_if('This requirement only applies to RHEL 8 versions below 8.4', impact: 0.0) {\n os.release.to_f < 8.4\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam_auth_files['password-auth'] do\n its('lines') { should match_pam_rule('.* .* pam_pwquality.so').any_with_integer_arg('retry', '>=', input('min_retry')) }\n end\nend\n", + "code": "control 'SV-251715' do\n title 'RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 uses \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nBy limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.'\n desc 'check', 'Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.\n\nVerify the operating system is configured to limit the \"pwquality\" retry option to 3.\n\nCheck for the use of the \"pwquality\" retry option in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so retry=3\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding.'\n desc 'fix', 'Configure the operating system to limit the \"pwquality\" retry option to 3.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so retry=3'\n impact 0.5\n tag check_id: 'C-55152r902744_chk'\n tag severity: 'medium'\n tag gid: 'V-251715'\n tag rid: 'SV-251715r902746_rule'\n tag stig_id: 'RHEL-08-020103'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag fix_id: 'F-55106r902745_fix'\n tag 'documentable'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n only_if('This requirement only applies to RHEL 8 versions below 8.4', impact: 0.0) {\n os.release.to_f < 8.4\n }\n\n pam_auth_files = input('pam_auth_files')\n\n describe pam(pam_auth_files['password-auth']) do\n its('lines') { should match_pam_rule('.* .* pam_pwquality.so').any_with_integer_arg('retry', '>=', input('min_retry')) }\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-251715.rb", "line": 1 @@ -11492,7 +11492,7 @@ "host": null, "container": null }, - "code": "control 'SV-230226' do\n title 'RHEL 8 must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local or remote access to the system via a graphical\nuser logon.'\n desc 'Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"'\n desc 'check', %q(Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.)\n desc 'fix', %q(Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n $ sudo dconf update)\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-230226'\n tag rid: 'SV-230226r743916_rule'\n tag stig_id: 'RHEL-08-010050'\n tag fix_id: 'F-32870r743915_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host'\n tag 'container'\n\n only_if(\"The system does not have GNOME installed; this requirement is Not\n Applicable.\", impact: 0.0) { package('gnome-desktop3').installed? }\n\n banner = command('grep ^banner-message-text /etc/dconf/db/local.d/*').stdout.gsub(/[\\r\\n\\s]/, '')\n expected_banner = input('banner_message_text_gui').gsub(/[\\r\\n\\s]/, '')\n\n describe 'The GUI Banner ' do\n it 'is set to the standard banner and has the correct text' do\n expect(banner).to eq(expected_banner), 'Banner does not match expected text'\n end\n end\nend\n", + "code": "control 'SV-230226' do\n title 'RHEL 8 must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local or remote access to the system via a graphical\nuser logon.'\n desc 'Display of a standardized and approved use notification before\ngranting access to the operating system ensures privacy and security\nnotification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n\n System use notifications are required only for access via logon interfaces\nwith human users and are not required when such human interfaces do not exist.\n\n The banner must be formatted in accordance with applicable DoD policy. Use\nthe following verbiage for operating systems that can accommodate banners of\n1300 characters:\n\n \"You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you\nconsent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be disclosed\nor used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to\nPM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.\"'\n desc 'check', %q(Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.)\n desc 'fix', %q(Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n $ sudo dconf update)\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000023-GPOS-00006'\n tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']\n tag gid: 'V-230226'\n tag rid: 'SV-230226r743916_rule'\n tag stig_id: 'RHEL-08-010050'\n tag fix_id: 'F-32870r743915_fix'\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host'\n tag 'container'\n\n only_if(\"The system does not have GNOME installed; this requirement is Not\n Applicable.\", impact: 0.0) { package('gnome-desktop3').installed? }\n\n banner_message_db = input('banner_message_db')\n\n banner = command(\"grep ^banner-message-text /etc/dconf/db/#{banner_message_db}.d/*\").stdout.gsub(/[\\r\\n\\s]/, '')\n expected_banner = input('banner_message_text_gui').gsub(/[\\r\\n\\s]/, '')\n\n describe 'The GUI Banner ' do\n it 'is set to the standard banner and has the correct text' do\n expect(banner).to eq(expected_banner), 'Banner does not match expected text'\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230226.rb", "line": 1 @@ -11557,7 +11557,7 @@ ], "host": null }, - "code": "control 'SV-244550' do\n title 'RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 will not accept IPv4 ICMP redirect messages.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0\n\nIf \"net.ipv4.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244550'\n tag rid: 'SV-244550r858791_rule'\n tag stig_id: 'RHEL-08-040209'\n tag fix_id: 'F-47782r858790_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.accept_redirects'\n action = 'accepting IPv4 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-244550' do\n title 'RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP)\nredirect messages from being accepted.'\n desc \"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\"\n desc 'check', 'Verify RHEL 8 will not accept IPv4 ICMP redirect messages.\n\nCheck the value of the default \"accept_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.default.accept_redirects\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0\n\nIf \"net.ipv4.conf.default.accept_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244550'\n tag rid: 'SV-244550r858791_rule'\n tag stig_id: 'RHEL-08-040209'\n tag fix_id: 'F-47782r858790_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.default.accept_redirects'\n action = 'accepting IPv4 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-244550.rb", "line": 1 @@ -11922,7 +11922,7 @@ ], "host": null }, - "code": "control 'SV-230542' do\n title 'RHEL 8 must not accept router advertisements on all IPv6 interfaces by\ndefault.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by default by using the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_ra\n\nnet.ipv6.conf.default.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0\n\nIf \"net.ipv6.conf.default.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230542'\n tag rid: 'SV-230542r858814_rule'\n tag stig_id: 'RHEL-08-040262'\n tag fix_id: 'F-33186r858813_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_ra'\n action = 'IPv6 router advertisements (by default for all interfaces)'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230542' do\n title 'RHEL 8 must not accept router advertisements on all IPv6 interfaces by\ndefault.'\n desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.\n\nNote: If IPv6 is disabled on the system, this requirement is not applicable.\n\nCheck to see if router advertisements are not accepted by default by using the following command:\n\n$ sudo sysctl net.ipv6.conf.default.accept_ra\n\nnet.ipv6.conf.default.accept_ra = 0\n\nIf the \"accept_ra\" value is not \"0\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0\n\nIf \"net.ipv6.conf.default.accept_ra\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.default.accept_ra=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230542'\n tag rid: 'SV-230542r858814_rule'\n tag stig_id: 'RHEL-08-040262'\n tag fix_id: 'F-33186r858813_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.default.accept_ra'\n action = 'IPv6 router advertisements (by default for all interfaces)'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230542.rb", "line": 1 @@ -12204,7 +12204,7 @@ ], "host": null }, - "code": "control 'SV-244551' do\n title 'RHEL 8 must not forward IPv4 source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv4 source-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0\n\nIf \"net.ipv4.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv4 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244551'\n tag rid: 'SV-244551r858799_rule'\n tag stig_id: 'RHEL-08-040239'\n tag fix_id: 'F-47783r858798_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.accept_source_route'\n action = 'IPv4 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-244551' do\n title 'RHEL 8 must not forward IPv4 source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv4 source-routed packets.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.accept_source_route\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0\n\nIf \"net.ipv4.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv4 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-244551'\n tag rid: 'SV-244551r858799_rule'\n tag stig_id: 'RHEL-08-040239'\n tag fix_id: 'F-47783r858798_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.accept_source_route'\n action = 'IPv4 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-244551.rb", "line": 1 @@ -12380,7 +12380,7 @@ "host": null, "container": null }, - "code": "control 'SV-230319' do\n title 'All RHEL 8 world-writable directories must be group-owned by root,\nsys, bin, or an application group.'\n desc 'If a world-writable directory is not group-owned by root, sys, bin, or\nan application Group Identifier (GID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories\nthat are not group-owned by a system account, given the assumption that only\nsystem accounts have a gid lower than 1000. Run it once for each local\npartition [PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -gid +999 -print\n\n If there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable\nmust be group-owned by root or another system account. If any world-writable\ndirectories are not group-owned by a system account, this must be investigated.\n Following this, the directories must be deleted or assigned to an appropriate\ngroup.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230319'\n tag rid: 'SV-230319r743961_rule'\n tag stig_id: 'RHEL-08-010710'\n tag fix_id: 'F-32963r567704_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n\n cmd = \"find #{partitions.join(' ')} -xdev -type d -perm -0002 -gid +999 -print\"\n failing_dirs = command(cmd).stdout.split(\"\\n\").uniq\n\n describe 'Any world-writeable directories' do\n it 'should be group-owned by system accounts' do\n expect(failing_dirs).to be_empty, \"Failing directories:\\n\\t- #{failing_dirs.join(\"\\n\\t- \")}\"\n end\n end\nend\n", + "code": "control 'SV-230319' do\n title 'All RHEL 8 world-writable directories must be group-owned by root,\nsys, bin, or an application group.'\n desc 'If a world-writable directory is not group-owned by root, sys, bin, or\nan application Group Identifier (GID), unauthorized users may be able to modify\nfiles created by others.\n\n The only authorized public directories are those temporary directories\nsupplied with the system or those designed to be temporary file repositories.\nThe setting is normally reserved for directories used by the system and by\nusers for temporary file storage, (e.g., /tmp), and for directories requiring\nglobal read/write access.'\n desc 'check', 'The following command will discover and print world-writable directories\nthat are not group-owned by a system account, given the assumption that only\nsystem accounts have a gid lower than 1000. Run it once for each local\npartition [PART]:\n\n $ sudo find [PART] -xdev -type d -perm -0002 -gid +999 -print\n\n If there is output, this is a finding.'\n desc 'fix', 'All directories in local partitions which are world-writable\nmust be group-owned by root or another system account. If any world-writable\ndirectories are not group-owned by a system account, this must be investigated.\n Following this, the directories must be deleted or assigned to an appropriate\ngroup.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230319'\n tag rid: 'SV-230319r743961_rule'\n tag stig_id: 'RHEL-08-010710'\n tag fix_id: 'F-32963r567704_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n tag 'container'\n\n if input('disable_slow_controls')\n describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do\n skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'\n end\n else\n\n partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq\n\n cmd = \"find #{partitions.join(' ')} -xdev -type d -perm -0002 -gid +999 -print\"\n failing_dirs = command(cmd).stdout.split(\"\\n\").uniq\n\n describe 'Any world-writeable directories' do\n it 'should be group-owned by system accounts' do\n expect(failing_dirs).to be_empty, \"Failing directories:\\n\\t- #{failing_dirs.join(\"\\n\\t- \")}\"\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230319.rb", "line": 1 @@ -12590,7 +12590,7 @@ ], "host": null }, - "code": "control 'SV-230538' do\n title 'RHEL 8 must not forward IPv6 source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv6 source-routed packets.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_source_route\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv6 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230538'\n tag rid: 'SV-230538r858801_rule'\n tag stig_id: 'RHEL-08-040240'\n tag fix_id: 'F-33182r858800_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_source_route'\n action = 'accepting IPv6 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230538' do\n title 'RHEL 8 must not forward IPv6 source-routed packets.'\n desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 does not accept IPv6 source-routed packets.\n\nNote: If IPv6 is disabled on the system, this requirement is Not Applicable.\n\nCheck the value of the accept source route variable with the following command:\n\n$ sudo sysctl net.ipv6.conf.all.accept_source_route\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the returned line does not have a value of \"0\", a line is not returned, or the line is commented out, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0\n\nIf \"net.ipv6.conf.all.accept_source_route\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not forward IPv6 source-routed packets.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv6.conf.all.accept_source_route=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230538'\n tag rid: 'SV-230538r858801_rule'\n tag stig_id: 'RHEL-08-040240'\n tag fix_id: 'F-33182r858800_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv6.conf.all.accept_source_route'\n action = 'accepting IPv6 source-routed packets'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv6_enabled') == false\n impact 0.0\n describe 'IPv6 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv6 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230538.rb", "line": 1 @@ -12961,7 +12961,7 @@ ], "host": null }, - "code": "control 'SV-230536' do\n title 'RHEL 8 must not send Internet Control Message Protocol (ICMP)\nredirects.'\n desc %q(ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf)\n desc 'check', 'Verify RHEL 8 does not IPv4 ICMP redirect messages.\n\nCheck the value of the \"all send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0\n\nIf \"net.ipv4.conf.all.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.send_redirects=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230536'\n tag rid: 'SV-230536r858795_rule'\n tag stig_id: 'RHEL-08-040220'\n tag fix_id: 'F-33180r858794_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.send_redirects'\n action = 'IPv4 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r #{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", + "code": "control 'SV-230536' do\n title 'RHEL 8 must not send Internet Control Message Protocol (ICMP)\nredirects.'\n desc %q(ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf)\n desc 'check', 'Verify RHEL 8 does not IPv4 ICMP redirect messages.\n\nCheck the value of the \"all send_redirects\" variables with the following command:\n\n$ sudo sysctl net.ipv4.conf.all.send_redirects\n\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0\n\nIf \"net.ipv4.conf.all.send_redirects\" is not set to \"0\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.send_redirects=0\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230536'\n tag rid: 'SV-230536r858795_rule'\n tag stig_id: 'RHEL-08-040220'\n tag fix_id: 'F-33180r858794_fix'\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This system is acting as a router on the network, this control is Not Applicable', impact: 0.0) {\n !input('network_router')\n }\n\n # Define the kernel parameter to be checked\n parameter = 'net.ipv4.conf.all.send_redirects'\n action = 'IPv4 redirects'\n value = 0\n\n # Get the current value of the kernel parameter\n current_value = kernel_parameter(parameter)\n\n # Check if the system is a Docker container\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('ipv4_enabled') == false\n impact 0.0\n describe 'IPv4 is disabled on the system, this requirement is Not Applicable.' do\n skip 'IPv4 is disabled on the system, this requirement is Not Applicable.'\n end\n else\n\n describe kernel_parameter(parameter) do\n it 'is disabled in sysctl -a' do\n expect(current_value.value).to cmp value\n expect(current_value.value).not_to be_nil\n end\n end\n\n # Get the list of sysctl configuration files\n sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')\n\n # Search for the kernel parameter in the configuration files\n search_results = command(\"grep -r ^#{parameter} #{sysctl_config_files} {} \\;\").stdout.split(\"\\n\")\n\n # Parse the search results into a hash\n config_values = search_results.each_with_object({}) do |item, results|\n file, setting = item.split(':')\n file = 'grep did not return filename' if file.empty?\n\n results[file] ||= []\n results[file] << setting.split('=').last\n end\n\n uniq_config_values = config_values.values.flatten.map(&:strip).map(&:to_i).uniq\n\n # Check the configuration files\n describe 'Configuration files' do\n if search_results.empty?\n it \"do not explicitly set the `#{parameter}` parameter\" do\n expect(config_values).not_to be_empty, \"Add the line `#{parameter}=#{value}` to a file in the `/etc/sysctl.d/` directory\"\n end\n else\n it \"do not have conflicting settings for #{action}\" do\n expect(uniq_config_values.count).to eq(1), \"Expected one unique configuration, but got #{config_values}\"\n end\n it \"set the parameter to the right value for #{action}\" do\n expect(config_values.values.flatten.all? { |v| v.to_i.eql?(value) }).to be true\n end\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230536.rb", "line": 1 @@ -15763,7 +15763,7 @@ "id": "controls/SV-230509.rb" } ], - "sha256": "bbd3256770594cc32e4b191b9ee86b493290f7b5eb4aa33d3bbe85aa27dbea96", + "sha256": "51c7d3c3912074777127429e32a3287ee42e7922b7ccbee16398af0f120a14bb", "status_message": "", "status": "loaded", "generator": {